The Belgian Data Protection Authority (DPA) has delivered its opinion on two draft cooperation agreements (one legislative agreement and one implementing agreement) relating in particular to the extension of the scope of the Covid Safe Ticket (CST) (see here). These drafts make amendments to the cooperation agreement of 14 July 2021. If the texts are finally adopted (there is almost no doubt), the CST could be required for example in the HORECA sector as well as in the cultural, festive and recreational sectors (the drafts propose an exhaustive list of sectors). The extension needs that the federated entities adopt legal texts to be implemented on their own territory. Brussels and Wallonia have indicated (in the press) that they want to use this possibility. Texts are expected to be adopted very soon.
In short, the DPA confirms that these extensions of the CST constitute an interference with the protection of personal data. It accepts that the objective of the CST is laudable: to limit the circulation of the virus and avoid saturation of hospital services. However, it notes that this objective is not clearly reflected in the agreements. It also considers (1) that the drafts do not sufficiently demonstrate that the CST is necessary to achieve this objective and (2) that they are no other less intrusive measures that could have been taken instead of the CST. Ultimately, the DPA does not reject the use of CST, but asks for more clear justification.
By Edouard Cruysmans and Erik Valgaeren